Autore: Graeme Fowler Data: To: exim-users Oggetto: Re: [exim] 4.74 exim.conf has the wrong owner, group, or mode
Marc
On Mon, 2011-01-31 at 17:41 +0000, Nigel Metheringham wrote: > On 31 Jan 2011, at 16:56, Marc Perkel wrote:
> > I assume you are referring to this?
> >
> > * Exim will no longer accept a configuration file owned by the Exim
> > run-time user, unless that account is explicitly the value in
> > CONFIGURE_OWNER, which we discourage. Exim now checks to ensure that
> > files are not writable by other accounts.
> >
> > You're trying to force feature that not everyone wants. I think it's a bad idea. You can't assume that everyone is running in an environment like what you imagine. It just becomes a pain in the ass for those who don't want your artificial restrictions.
I'm replying to Nigel's on-list reply because:
1. You clearly do not follow the mailing list;
2. You clearly have not seen the CVEs which were issued regarding
security issues in Exim which permitted external third-parties to gain
remote access to a system by exploiting a bug within the config file
handling code;
3. I think you warrant a *slightly* - but only slightly - more polite
reply.
The restrictions you refer to were discussed at length on this list and
the -dev list, in response to reports that bugs in Exim were being
exploited. Systems have been rooted (and will continue to be, because
some folks won't update).
Next time we find or have a security hole reported, remind me to
encourage everyone involved to speak to you personally to request that
you approve the changes which result from that.
Alternatively you could do what everyone else does. Read the docs, and
do some research if something incompatible happens to occur with your
setup.
Trust me: the "pain in the ass" you are currently experience is nothing
compared to someone destroying your business by rooting your servers.